Click to jump to signature section
Source: Loader.exe | Virustotal: Detection: 26% | Perma Link |
Source: Loader.exe | ReversingLabs: Detection: 23% |
Source: Submited Sample | Integrated Neural Analysis Model: Matched 100.0% probability |
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: -----BEGIN PUBLIC KEY----- | memstr_01bb218d-d |
Source: unknown | HTTPS traffic detected: 172.67.133.190:443 -> 192.168.2.5:49706 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 104.26.1.5:443 -> 192.168.2.5:49709 version: TLS 1.2 |
Source: | Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp |
Source: Joe Sandbox View | IP Address: 104.26.1.5 104.26.1.5 |
Source: Joe Sandbox View | JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic | DNS traffic detected: DNS query: download.simpletoolz.fun |
Source: global traffic | DNS traffic detected: DNS query: keyauth.win |
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0 |
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: http://ocsp.thawte.com0 |
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0 |
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0( |
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: http://ts-ocsp.ws.symantec.com07 |
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://curl.se/docs/alt-svc.html |
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://curl.se/docs/hsts.html |
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://curl.se/docs/http-cookies.html |
Source: Loader.exe, 00000000.00000002.2645723910.00000000022FC000.00000004.00000010.00020000.00000000.sdmp | String found in binary or memory: https://download.simpletoolz.fun/blacklist/blacklist.jso |
Source: Loader.exe, 00000000.00000002.2645466692.000000000043C000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://download.simpletoolz.fun/blacklist/blacklist.json |
Source: Loader.exe, 00000000.00000002.2645466692.000000000043C000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://download.simpletoolz.fun/blacklist/blacklist.json.dll |
Source: Loader.exe, 00000000.00000002.2645466692.000000000043C000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://download.simpletoolz.fun/blacklist/blacklist.jsonxe |
Source: Loader.exe, 00000000.00000002.2645466692.0000000000452000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://keyauth.win/api/1.3/ |
Source: Loader.exe, 00000000.00000002.2645466692.0000000000452000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://keyauth.win/api/1.3/T |
Source: Loader.exe, 00000000.00000002.2645466692.0000000000452000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://keyauth.win/api/1.3/j |
Source: unknown | Network traffic detected: HTTP traffic on port 49709 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49706 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49709 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49706 |
Source: unknown | HTTPS traffic detected: 172.67.133.190:443 -> 192.168.2.5:49706 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 104.26.1.5:443 -> 192.168.2.5:49709 version: TLS 1.2 |
Source: C:\Users\user\Desktop\Loader.exe | Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6468 -s 484 |
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameiQVW64.SYSH vs Loader.exe |
Source: classification engine | Classification label: mal80.evad.winEXE@15/1@2/3 |
Source: C:\Windows\System32\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_03 |
Source: C:\Windows\System32\WerFault.exe | File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e46ce1de-d58a-4a69-aeb3-0fead5b08ed0 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: Loader.exe | Virustotal: Detection: 26% |
Source: Loader.exe | ReversingLabs: Detection: 23% |
Source: unknown | Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe" | |
Source: C:\Users\user\Desktop\Loader.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\Loader.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls | |
Source: C:\Users\user\Desktop\Loader.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil" | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\Loader.exe" MD5 | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\find.exe find /i /v "md5" | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\find.exe find /i /v "certutil" | |
Source: C:\Users\user\Desktop\Loader.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" | |
Source: C:\Users\user\Desktop\Loader.exe | Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6468 -s 484 | |
Source: C:\Users\user\Desktop\Loader.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil" | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\Loader.exe" MD5 | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\find.exe find /i /v "md5" | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\find.exe find /i /v "certutil" | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: msvcp140.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: vcruntime140.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: vcruntime140_1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: vcruntime140.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: vcruntime140_1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: vcruntime140.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: secur32.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Section loaded: schannel.dll | Jump to behavior |
Source: C:\Windows\System32\certutil.exe | Section loaded: certcli.dll | Jump to behavior |
Source: C:\Windows\System32\certutil.exe | Section loaded: cabinet.dll | Jump to behavior |
Source: C:\Windows\System32\certutil.exe | Section loaded: cryptui.dll | Jump to behavior |
Source: C:\Windows\System32\certutil.exe | Section loaded: ncrypt.dll | Jump to behavior |
Source: C:\Windows\System32\certutil.exe | Section loaded: netapi32.dll | Jump to behavior |
Source: C:\Windows\System32\certutil.exe | Section loaded: ntdsapi.dll | Jump to behavior |
Source: C:\Windows\System32\certutil.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\System32\certutil.exe | Section loaded: secur32.dll | Jump to behavior |
Source: C:\Windows\System32\certutil.exe | Section loaded: certca.dll | Jump to behavior |
Source: C:\Windows\System32\certutil.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\System32\certutil.exe | Section loaded: samcli.dll | Jump to behavior |
Source: C:\Windows\System32\certutil.exe | Section loaded: logoncli.dll | Jump to behavior |
Source: C:\Windows\System32\certutil.exe | Section loaded: dsrole.dll | Jump to behavior |
Source: C:\Windows\System32\certutil.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Windows\System32\certutil.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\System32\certutil.exe | Section loaded: ntasn1.dll | Jump to behavior |
Source: C:\Windows\System32\certutil.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Windows\System32\certutil.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\System32\find.exe | Section loaded: ulib.dll | Jump to behavior |
Source: C:\Windows\System32\find.exe | Section loaded: fsutilext.dll | Jump to behavior |
Source: C:\Windows\System32\find.exe | Section loaded: ulib.dll | Jump to behavior |
Source: C:\Windows\System32\find.exe | Section loaded: fsutilext.dll | Jump to behavior |
Source: Loader.exe | Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: Loader.exe | Static PE information: Image base 0x140000000 > 0x60000000 |
Source: Loader.exe | Static file information: File size 42460160 > 1048576 |
Source: Loader.exe | Static PE information: Raw size of .stz2 is bigger than: 0x100000 < 0x287c800 |
Source: | Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp |
Source: initial sample | Static PE information: section where entry point is pointing to: .stz2 |
Source: Loader.exe | Static PE information: section name: .stz0 |
Source: Loader.exe | Static PE information: section name: .stz1 |
Source: Loader.exe | Static PE information: section name: .stz2 |
Source: C:\Users\user\Desktop\Loader.exe | Memory written: PID: 6468 base: 7FF8C8A50008 value: E9 EB D9 E9 FF | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Memory written: PID: 6468 base: 7FF8C88ED9F0 value: E9 20 26 16 00 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Memory written: PID: 6468 base: 7FF8C8A6000D value: E9 BB CB EB FF | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Memory written: PID: 6468 base: 7FF8C891CBC0 value: E9 5A 34 14 00 | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | System information queried: FirmwareTableInformation | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | System information queried: FirmwareTableInformation | Jump to behavior |
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OLLYDBG.EXE |
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: X64DBG.EXE |
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: YQBX64DBG.DLLX32DBG.DLLX64_BRIDGE.DLLX64_DBG.DLLOLLYDBG.EXEX64DBG.EXEX64DBG-UNSIGNED.EXEX96DBG.EXEX64GUI.DLLX64BRIDGE.DLLX32DBG.EXEX32_BRIDGE.DLLX32_DBG.DLLX32BRIDGE.DLLX32GUI.DLLX96_BRIDGE.DLLX96_DBG.DLLX96BRIDGE.DLLX96GUI.DLLX96DBG.DLLX86_BRIDGE.DLLX64_DBG.DLLGELION-KEYAUTH-ONLY.DLLBROCESSRACKER.SIGPREV1.SYSHOOKLIBRARYX64.DLLHOOKLIBRARYX86.DLLSCYLLATEST_X64.EXESCYLLATEST_X86.EXEBROCESSRACKER.EXEX64DBGSCYLLA.DLLPYTHON64.DLLSCYLLAHIDE.DLL |
Source: C:\Users\user\Desktop\Loader.exe | Special instruction interceptor: First address: 143A58305 instructions rdtsc caused by: RDTSC with Trap Flag (TF) |
Source: C:\Users\user\Desktop\Loader.exe | Special instruction interceptor: First address: 143A58341 instructions rdtsc caused by: RDTSC with Trap Flag (TF) |
Source: C:\Users\user\Desktop\Loader.exe | Window / User API: threadDelayed 1006 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Window / User API: threadDelayed 8958 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe TID: 6300 | Thread sleep time: -45000s >= -30000s | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\Loader.exe | Thread delayed: delay time: 45000 | Jump to behavior |
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: )vmware.dllVBoxHook.dlldbgeng.dllImDbg.dlldbgsvc.dllunpacker.exevmmem.dllVBoxRT.dlllibdwarf.dllVBoxSVC.dllVBoxOGL.dllVBoxDD.dllvboxdrv.sysHyperV.dllsandboxie.dllsandboxiedll.dllwin32_user64.dllgolang64.dllpdb64.dllqemu.dllkvm.dlldocker.dllcitrix.dllbluestacks.dllnox.dllgenymotion.dllmemu.dllvagrant.dllcygwin1.dllwsl.dllTitanEngine.dllScylla.dllScylla_x64.dllsymsrv.dllollydbg.dllida.dllida64.dlldbg64.dlldwarf64.dllidapython.dllidasdk.dllimmdbg.dlldnSpy.dllghidra.dllghidra64.dlljeb.dllprocdump.dllprocesshacker.dllwdbgexts.dlldebugevent.dllvehdebug-x86_64.dlldbghelp_x64.libdbghelp_x64.adbghelp.h_dbgfunctions.hDbgModelClient.dllfrida.dllfrida-agent.dlldbgmodel.dllx86_dbg.dllx86bridge.dllx86gui.dllx86dbg.dllVZZ^^ZZVV**..**66::>>::66* |
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: VBoxHook.dll |
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: qemu.dll |
Source: Loader.exe | Binary or memory string: vMcIwy |
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: vmware.dll |
Source: Loader.exe, 00000000.00000002.2645466692.0000000000452000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\Loader.exe | System information queried: ModuleInformation | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Process information queried: ProcessInformation | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Handle closed: DEADC0DE |
Source: C:\Users\user\Desktop\Loader.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Process queried: DebugObjectHandle | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Process queried: DebugObjectHandle | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Process queried: DebugObjectHandle | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtQuerySystemInformation: Direct from: 0x141E2FAE6 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtSetInformationProcess: Direct from: 0x1439B6296 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtUnmapViewOfSection: Direct from: 0x14399D784 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtProtectVirtualMemory: Direct from: 0x143992536 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtQueryInformationProcess: Direct from: 0x1436B79B6 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtProtectVirtualMemory: Direct from: 0x141E3826D | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtQueryInformationProcess: Direct from: 0x143334132 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtQueryInformationProcess: Direct from: 0x143A4EE5E | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtProtectVirtualMemory: Direct from: 0x1436CB381 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtQuerySystemInformation: Direct from: 0x143A4A4BA | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtQueryInformationProcess: Direct from: 0x1439AB65B | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtQueryInformationProcess: Direct from: 0x143A4C33B | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtMapViewOfSection: Direct from: 0x1436C8DB7 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtSetInformationThread: Direct from: 0x141E49F73 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtProtectVirtualMemory: Direct from: 0x1432FFFED | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtQuerySystemInformation: Direct from: 0x1433316A0 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtQuerySystemInformation: Direct from: 0x143971322 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtOpenFile: Direct from: 0x143979827 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtProtectVirtualMemory: Indirect: 0x141DF7489 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtProtectVirtualMemory: Direct from: 0x141E501A6 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtClose: Direct from: 0x143A4F7D8 | |
Source: C:\Users\user\Desktop\Loader.exe | NtQuerySystemInformation: Direct from: 0x143980F7C | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtProtectVirtualMemory: Direct from: 0x143341EC6 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtProtectVirtualMemory: Direct from: 0x143A2A71A | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtProtectVirtualMemory: Direct from: 0x1433145F6 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | NtSetInformationThread: Direct from: 0x141E49C21 | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil" | Jump to behavior |
Source: C:\Users\user\Desktop\Loader.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\Loader.exe" MD5 | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\find.exe find /i /v "md5" | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\find.exe find /i /v "certutil" | Jump to behavior |
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: ollydbg.exe |